Reply
Highlighted
Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4
Accepted Solution

IPSec VPN to Fortinet Many to one Source

Wondering if someone could help me out here - I'm probably missing a route/some configuration.

 

Edgemax Lite router on my side trying to connect to a fortinet 

 

I've used the following links to try and get this working:

https://help.ubnt.com/hc/en-us/articles/115015908768-EdgeRouter-IPsec-Site-to-Site-VPN-with-Many-to-...

https://community.ubnt.com/t5/EdgeRouter/EdgeMAX-to-Fortinet-IPSEC-Tunnel-Tutorial/td-p/1489687

 

I can get the tunnel to come up and the nat seems to work - however I can't get traffic to flow. Nothing seems to hit the firewall rules..

 

Do I need to add anything other than the following? (firewall/nat not listed here is default from the wizard)


set vpn ipsec ipsec-interfaces interface eth0

set interfaces vti vti0 address 198.168.127.132/32


set vpn ipsec ike-group Telus lifetime 86400
set vpn ipsec ike-group Telus proposal 1 dh-group 5
set vpn ipsec ike-group Telus proposal 1 encryption aes256
set vpn ipsec ike-group Telus proposal 1 hash md5


set vpn ipsec esp-group Telus compression disable
set vpn ipsec esp-group Telus lifetime 43200
set vpn ipsec esp-group Telus mode tunnel
set vpn ipsec esp-group Telus pfs enable
set vpn ipsec esp-group Telus proposal 1 dh-group 5
set vpn ipsec esp-group Telus proposal 1 encryption aes256
set vpn ipsec esp-group Telus proposal 1 hash sha1

set vpn ipsec site-to-site peer <remoteRouterIP>
set vpn ipsec site-to-site peer <remoteRouterIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <remoteRouterIP> authentication pre-shared-secret <secrethere>
set vpn ipsec site-to-site peer <remoteRouterIP> connection-type initiate
set vpn ipsec site-to-site peer <remoteRouterIP> ike-group Telus
set vpn ipsec site-to-site peer <remoteRouterIP> local-address <localRouterIP>
set vpn ipsec site-to-site peer <remoteRouterIP> vti bind vti0
set vpn ipsec site-to-site peer <remoteRouterIP> vti esp-group Telus


set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description IPsec
set firewall name WAN_IN rule 60 source address 10.21.0.0/21
set firewall name WAN_IN rule 60 destination address 192.168.0.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec

 


set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description IPsec
set firewall name WAN_LOCAL rule 60 source address 10.21.0.0/21
set firewall name WAN_LOCAL rule 60 destination address 192.168.0.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec





set service nat rule 5000 destination address 10.21.0.0/21
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 outside-address address 192.168.127.32
set service nat rule 5000 source address 192.168.0.0/24
set service nat rule 5000 type source

 

 


Accepted Solutions
Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

[ Edited ]

I switched to policy based and got this working. For anyone that wants to connect a site-to-site VPN Edgemax to fortigate with Many-to-one Source NAT...

 

Here's the sum of it:

 

Nat: 

set service nat rule 5000 destination address 10.21.0.0/21
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address 192.168.127.132
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.0.0/24
set service nat rule 5000 type source

set service nat rule 5005 description ipsec-exclude
set service nat rule 5005 destination address 10.21.0.0/21
set service nat rule 5005 exclude
set service nat rule 5005 outbound-interface eth0
set service nat rule 5005 protocol all
set service nat rule 5005 source address 192.168.0.0/24
set service nat rule 5005 type masquerade

set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade

vpn

 

set vpn ipsec auto-firewall-nat-exclude disable

set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs dh-group5
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec ike-group FOO0 proposal 1 dh-group 5
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash md5

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec site-to-site peer <peer.wan.address> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <peer.wan.address> authentication pre-shared-secret ******
set vpn ipsec site-to-site peer <peer.wan.address> connection-type initiate
set vpn ipsec site-to-site peer <peer.wan.address> description VPN
set vpn ipsec site-to-site peer <peer.wan.address> ike-group FOO0
set vpn ipsec site-to-site peer <peer.wan.address> ikev2-reauth inherit
set vpn ipsec site-to-site peer <peer.wan.address> local-address <my.wan.address>
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 local prefix 192.168.127.132/32
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 remote prefix 10.21.0.0/21

firewall:

 

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description ipsec
set firewall name WAN_IN rule 60 destination address 192.168.0.0/24
set firewall name WAN_IN rule 60 ipsec match-ipsec
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 source address 10.21.0.0/21
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Allow IPSEC IKE'
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description 'Allow IPSEC ESP'
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 192.168.0.0/24
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 source address 10.21.0.0/21
set firewall name WAN_LOCAL rule 75 action accept
set firewall name WAN_LOCAL rule 75 description ICMP
set firewall name WAN_LOCAL rule 75 protocol icmp
set firewall name WAN_LOCAL rule 100 action drop
set firewall name WAN_LOCAL rule 100 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 100 state invalid enable

 

View solution in original post


All Replies
Emerging Member
Posts: 440
Registered: ‎09-13-2018
Kudos: 69
Solutions: 26

Re: IPSec VPN to Fortinet Many to one Source

[ Edited ]

Do you have control of both ends, i.e. do you control the fortinet devices?

 

It is possible the packets are going to the fortinet, but they are not being routed back to you.

 

Have you used tcpdump on the edgerouter to verify that the packets are being sent? You shouldn't be able to understand the contents, which should be encrypted, but you should be able to see the packets between the vpn endpoints.

 

I have no experience with the fortinet devices and what debugging tools they have.

 

Jon

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

[ Edited ]

I don't have control of both ends (only my end which is the ERL) (and other end is not helpful - advised me to contact vendor; claiming their settings are all correct)

 

 

I've ran the following command (sudo swanctl --log) and get different errors, depending on the method I'm using; to establish the tunnel

- if vti I get complaints about: 06[IKE] CHILD_SA not found, ignored. The tunnel does show active in show vpn ipsec status.

- if tunneled method -  I get : 02[IKE] peer not responding, trying again (8/0) however the tunnel shows up/connecting with sudo ipsec statusall and show vpn ipsec sa just shows connecting. 

 

I've attached both cleand version of my config (tunnel & vti) - it seems like the vti method is at least establishing phase 1. Just not sure if I have the nat rules in right order or if I need to add a route or firewall rule. 

 

My test is just a ping to 10.21.4.238 - firewall rules I've created aren't getting any hits either. (nat count does go up in the vti method)

 

This is the info they gave me:

 

Phase 1 IKE Properties:

SHA1 (PFS Enabled)

(Preferred Method)

Key Exchange:

256-bit AES

Data Integrity:

MD5

Renegotiate IKE SA:

 86400 seconds

DH-Group:

Group 5

Phase 2 IPSEC Properties:

 

Data Encryption:

256-bit AES

Data Integrity:

SHA1

DH-Group:

Group 5

Perfect Forward Secrecy:

Enabled

Renegotiate IPSEC SA’s Every:

43200 Seconds

 

 

Thanks.

 

Emerging Member
Posts: 440
Registered: ‎09-13-2018
Kudos: 69
Solutions: 26

Re: IPSec VPN to Fortinet Many to one Source

Did they ask you for your subnet?  Did they give you a subnet to configure your router with?

 

Are we talking about site-to-site?  Or what is implied by the title a server with many clients connecting to it?

 

google

 

fortinet ipsec client

 

Which may be what they think you are using. And that appears to be pc client based.

 

IPsec VPN with FortiClient

 

Good luck.

 

Jon

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: IPSec VPN to Fortinet Many to one Source

As always, when digging tunnels, both sides must agree on common settings.

So you can't switch between policy based and route based without remote doing the same

 

Obvious,  your routed (=vti) mode has incorrect NAT rule:

Get rid of rule 5000, and replace it with a masquerade rule onto vti0.   (not eth0!)

 

Post "sudo swanctl ---log" output.  And use tcpdump.  It'll work fine on vti interface,  and tcpdump on eth0 port will show incoming ipsec packets twice: first encrypted, then decrypted

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

@BuckeyeNet Haven't asked for my subnet. Gave me a Source NAT IP 192.168.127.132/32  for local network traffic and a 10.21.0.0/21 subnet for remote network.  So site-to-site VPN. (Our PCs will use a service in their network)

 

 

 

@16again Thanks. I've removed rule 5000. Should I have a masquerade NAT rule for both vti0 and eth0 (as I don't want all traffic going through tunnel - just stuff sent to 10.21.0.0/21)

 

 

Still unable to ping 10.21.4.238 (tried from local client and erl)

 

 

show nat statistics
rule count type IN OUT description
---- ---------- ---- -------- -------- -----------
5001 72 MASQ - vti0 masquerade for Vti
5010 6675 MASQ - eth0 masquerade for WAN

 

 

I am seeing some stuff hit the IKE Firewall rule now:

 

 

show firewall statistics
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_IN" [WAN to internal]

Active on (eth0,IN)

rule packets bytes action description
---- ------- ----- ------ -----------
10 111407 26671932 ACCEPT Allow established/related
20 0 0 DROP Drop invalid state
60 0 0 ACCEPT IPsec
10000 0 0 DROP DEFAULT ACTION

--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL" [enable ping]

Active on (eth0,LOCAL)

rule packets bytes action description
---- ------- ----- ------ -----------
5 4 158 ACCEPT
10 4807 1374541 ACCEPT Allow established/related
20 50 2214 DROP Drop invalid state
30 2 240 ACCEPT IKE
40 0 0 ACCEPT ESP
50 0 0 ACCEPT NAT-T
60 0 0 ACCEPT IPsec
10000 2971 246506 DROP DEFAULT ACTION

 

 

 

is it normal for the child to be 0.0.0.0/0 === 0.0.0.0/0 ?

 

sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):
uptime: 8 hours, since Dec 02 05:01:43 2018
malloc: sbrk 376832, mmap 0, used 271888, free 104944
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
<my.WAN.ip>
192.168.0.254
192.168.2.254
198.168.127.132
Connections:
peer-<remote.WAN.IP>-tunnel-vti: <my.WAN.IP>...<remote.WAN.IP> IKEv1
peer-<remote.WAN.IP>-tunnel-vti: local: [<my.WAN.IP>] uses pre-shared key authentication
peer-<remote.WAN.IP>-tunnel-vti: remote: [<remote.WAN.IP>] uses pre-shared key authentication
peer-<remote.WAN.IP>-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Routed Connections:
peer-<remote.WAN.IP>-tunnel-vti{1}: ROUTED, TUNNEL
peer-<remote.WAN.IP>-tunnel-vti{1}: 0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
peer-<remote.WAN.IP>-tunnel-vti[3]: ESTABLISHED 8 hours ago, <my.WAN.IP>[<my.WAN.IP>]...<remote.WAN.IP>[<remote.WAN.IP>]
peer-<remote.WAN.IP>-tunnel-vti[3]: IKEv1 SPIs: 0438f51216fb71be_i 0ebc5a62ab493652_r*, pre-shared key reauthentication in 15 hours
peer-<remote.WAN.IP>-tunnel-vti[3]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
peer-<remote.WAN.IP>-tunnel-vti{1}: INSTALLED, TUNNEL, ESP SPIs: c2250cd9_i 9dc6b095_o
peer-<remote.WAN.IP>-tunnel-vti{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 162825 bytes_o, rekeying in 3 hours
peer-<remote.WAN.IP>-tunnel-vti{1}: 192.168.127.132/32 === 10.21.0.0/21

 

 

the sudo sawnctl just keeps repeating the same output:

 

cinntech@ubnt:~$ show vpn ipsec status
IPSec Process Running PID: 1806

1 Active IPsec Tunnels

IPsec Interfaces :
eth0 (<my.WAN.IP>)
cinntech@ubnt:~$ sudo swanctl --log
13[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
13[ENC] parsed INFORMATIONAL_V1 request 4012785934 [ HASH N(DPD) ]
13[ENC] generating INFORMATIONAL_V1 request 3054330036 [ HASH N(DPD_ACK) ]
13[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
16[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
16[ENC] parsed INFORMATIONAL_V1 request 1113476659 [ HASH N(DPD) ]
16[ENC] generating INFORMATIONAL_V1 request 2055727436 [ HASH N(DPD_ACK) ]
16[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
07[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
07[ENC] parsed INFORMATIONAL_V1 request 2374381395 [ HASH N(DPD) ]
07[ENC] generating INFORMATIONAL_V1 request 3393176829 [ HASH N(DPD_ACK) ]
07[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
13[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
13[ENC] parsed INFORMATIONAL_V1 request 4271943723 [ HASH N(DPD) ]
13[ENC] generating INFORMATIONAL_V1 request 3453814907 [ HASH N(DPD_ACK) ]
13[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
09[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 3188137724 [ HASH N(DPD) ]
09[ENC] generating INFORMATIONAL_V1 request 3871743943 [ HASH N(DPD_ACK) ]
09[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
07[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
07[ENC] parsed INFORMATIONAL_V1 request 1192503395 [ HASH N(DPD) ]
07[ENC] generating INFORMATIONAL_V1 request 1686581928 [ HASH N(DPD_ACK) ]
07[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
05[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
05[ENC] parsed INFORMATIONAL_V1 request 686147352 [ HASH N(DPD) ]
05[ENC] generating INFORMATIONAL_V1 request 1607569720 [ HASH N(DPD_ACK) ]
05[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)
06[NET] received packet: from <remote.WAN.IP>[500] to <my.WAN.IP>[500] (92 bytes)
06[ENC] parsed INFORMATIONAL_V1 request 768674741 [ HASH N(DPD) ]
06[ENC] generating INFORMATIONAL_V1 request 1455738531 [ HASH N(DPD_ACK) ]
06[NET] sending packet: from <my.WAN.IP>[500] to <remote.WAN.IP>[500] (92 bytes)

 

 

 

 

 

Here's the parsed output from the dump on eth0:

13:51:27.765330 IP <my.WAN.IP> > 10.21.4.238: ICMP echo request, id 1, seq 15245, length 40
13:51:28.108917 IP 41.44.207.12.39853 > <my.WAN.IP>.23: Flags [S], seq 1114055498, win 33718, length 0
13:51:28.639597 IP <my.WAN.IP>.11988 > 69.28.82.225.5060: Flags [P.], seq 873:1360, ack 598, win 16937, length 487
13:51:28.659305 IP 69.28.82.225.5060 > <my.WAN.IP>.11988: Flags [P.], seq 598:1279, ack 1360, win 1452, length 681
13:51:28.660136 IP <my.WAN.IP>.11988 > 69.28.82.225.5060: Flags [.], ack 1279, win 16937, length 0
13:51:29.198529 IP 78.128.112.94.42231 > <my.WAN.IP>.42294: Flags [S], seq 2848650711, win 1024, length 0
13:51:29.617483 IP <my.WAN.IP>.50987 > 162.250.5.71.5938: Flags [P.], seq 24:48, ack 25, win 508, length 24
13:51:29.708805 IP 162.250.5.71.5938 > <my.WAN.IP>.50987: Flags [.], ack 48, win 1024, length 0
13:51:32.471239 IP 93.174.95.106.29011 > <my.WAN.IP>.8090: Flags [S], seq 1212736927, win 17967, options [mss 1460], length 0
13:51:32.536214 IP 176.119.7.26.50537 > <my.WAN.IP>.3399: Flags [S], seq 567470622, win 1024, length 0
13:51:32.765755 IP <my.WAN.IP> > 10.21.4.238: ICMP echo request, id 1, seq 15246, length 40
13:51:37.109691 IP <my.WAN.IP>.56316 > 255.255.255.255.10001: UDP, length 4
13:51:37.111425 IP <my.WAN.IP> > <remote.WAN.IP>: ESP(spi=0x9dc6b095,seq=0x7df), length 84
13:51:37.113215 IP <my.WAN.IP>.43441 > 255.255.255.255.54852: UDP, length 107
13:51:37.118558 IP <my.WAN.IP> > <remote.WAN.IP>: ESP(spi=0x9dc6b095,seq=0x7e0), length 180
13:51:37.765287 IP <my.WAN.IP> > 10.21.4.238: ICMP echo request, id 1, seq 15247, length 40
13:51:42.765850 IP <my.WAN.IP> > 10.21.4.238: ICMP echo request, id 1, seq 15248, length 40
13:51:44.388755 IP <remote.WAN.IP>.500 > <my.WAN.IP>.500: isakmp: phase 2/others ? inf[E]
13:51:44.390660 IP <my.WAN.IP>.500 > <remote.WAN.IP>.500: isakmp: phase 2/others ? inf[E]
13:51:47.766549 IP <my.WAN.IP> > 10.21.4.238: ICMP echo request, id 1, seq 15249, length 40
^C

 

 

 

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: IPSec VPN to Fortinet Many to one Source

Tunnel seems up

In vti mode, you also need static interface route for remote subnet, pointing to your VTI interface.

Spoiler
 set protocols static interface-route 10.21.0.0/21 next-hop-interface vti0
Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

thanks for the assistance. I've asked them to confirm their settings/firewall rules and we'll see if that resolves it. 

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

Still having issues. I had a typo in one statement so remote site says the tunnel is fine so they can't assit with our network. 

 

I'm thinking this is a routing issue now - just not sure how to fix it.

 

If I do a capture on vti0 and ping from my workstation -  I see the broadcast and that's it.

 

show interfaces vti vti0 capture
Capturing traffic on vti0 ...
13:04:52.210857 IP 192.168.127.132.49811 > 255.255.255.255.10001: UDP, length 4
13:04:52.214724 IP 192.168.127.132.34211 > 255.255.255.255.49811: UDP, length 107
13:05:23.151903 IP 192.168.127.132.51064 > 255.255.255.255.10001: UDP, length 4
13:05:23.154858 IP 192.168.127.132.37605 > 255.255.255.255.51064: UDP, length 107

 

If i sourec ping from the router [sudo ping -I vti0 10.21.4.238]; I see all it.

 

If I look at the capture on eth0  - I'm still seeing the 10.21.4.231 - it's doesn't seem to be using my set protocol to vti0 command...

 

13:13:34.729870 IP 192.168.0.39 > 10.21.4.238: ICMP echo request, id 1, seq 4440, length 40

 

 

I've attached my updated config... mind having another look?

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: IPSec VPN to Fortinet Many to one Source

1st of all, you need a masquerade rule like below:

Spoiler
        rule 5005 {
            description "masquerade for VTI0"
            outbound-interface vti0
            type masquerade
        } 

Rule 5000 only makes sense on policy based VPN, but it won't hurt having it

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

I'm still banging my head on this ...  still not working for some reason. (I took out the 5000 and added in the 5005 rule you suggested -everything else is as in the config I attached)

 

 

if I ping from PC I just get broadcasts on the vti capture:

00:32:18.888060 IP 192.168.127.132.43281 > 255.255.255.255.59362: UDP, length 107
00:32:49.897137 IP 192.168.127.132.45156 > 255.255.255.255.10001: UDP, length 4
00:32:49.900757 IP 192.168.127.132.59847 > 255.255.255.255.45156: UDP, length 107

 

 

 

if I traceroute or ping from router on the vti interface I see the traffic going out in the capture (but fails):

traceroute to 10.21.4.238 (10.21.4.238), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *

 

 

~$ show interfaces vti vti0 capture
Capturing traffic on vti0 ...
00:36:59.010431 IP 192.168.127.132 > 10.21.4.238: ICMP echo request, id 3693, seq 1, length 64
00:37:00.018118 IP 192.168.127.132 > 10.21.4.238: ICMP echo request, id 3693, seq 2, length 64
00:37:01.018026 IP 192.168.127.132 > 10.21.4.238: ICMP echo request, id 3693, seq 3, length 64
00:37:02.018036 IP 192.168.127.132 > 10.21.4.238: ICMP echo request, id 3693, seq 4, length 64
00:37:03.018084 IP 192.168.127.132 > 10.21.4.238: ICMP echo request, id 3693, seq 5, length 64

 

 

 

 

$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
S *> 0.0.0.0/0 [1/0] via 66.103.x.x, eth0 ****GATEWAY IP*** 
S *> 10.21.0.0/21 [1/0] is directly connected, vti0
C *> 66.103.x.x/30 is directly connected, eth0 ***WAN IP *** (it's a /30 static ip)
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.0.0/24 is directly connected, br0
C *> 192.168.2.0/24 is directly connected, br0.2
C *> 192.168.127.132/32 is directly connected, vti0

 

 

 

$ sudo ping -I vti0 10.21.4.238
PING 10.21.4.238 (10.21.4.238) from 192.168.127.132 vti0: 56(84) bytes of data.
From 192.168.127.132 icmp_seq=18 Destination Host Unreachable
^C
--- 10.21.4.238 ping statistics ---
50 packets transmitted, 0 received, +1 errors, 100% packet loss, time 49002ms

 

 

 

There seems to be a few tretransmits and [CHILD_SA not found, ignored]

$ sudo swanctl --log
01[IKE] sending retransmit 5 of request message ID 3164036507, seq 4
01[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (380 bytes)
14[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (92 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2312982421 [ HASH N(DPD) ]
07[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (92 bytes)
07[ENC] parsed INFORMATIONAL_V1 request 54668074 [ HASH N(DPD) ]
01[KNL] creating delete job for ESP CHILD_SA with SPI ccaf3387 and reqid {1}
16[IKE] giving up after 5 retransmits
16[IKE] initiating Main Mode IKE_SA peer-159.18.x.x-tunnel-vti[14] to 159.18.x.x
16[ENC] generating ID_PROT request 0 [ SA V V V V ]
16[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (160 bytes)
07[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (148 bytes)
07[ENC] parsed ID_PROT response 0 [ SA V V V ]
07[IKE] received NAT-T (RFC 3947) vendor ID
07[IKE] received DPD vendor ID
07[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
07[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (300 bytes)
14[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (284 bytes)
14[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
14[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
14[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (92 bytes)
13[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (76 bytes)
13[ENC] parsed ID_PROT response 0 [ ID HASH ]
13[IKE] IKE_SA peer-159.18.x.x-tunnel-vti[14] established between 66.103.x.x[66.103.x.x]...159.18.x.x[159.18.x.x]
13[IKE] scheduling reauthentication in 85832s
13[IKE] maximum IKE_SA lifetime 86372s
16[KNL] creating acquire job for policy 66.103.x.x/32[ipencap] === 159.18.x.x/32[ipencap] with reqid {1}
13[ENC] generating QUICK_MODE request 515868683 [ HASH SA No KE ID ID ]
13[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (380 bytes)
04[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (76 bytes)
04[ENC] parsed INFORMATIONAL_V1 request 2108022843 [ HASH D ]
04[IKE] received DELETE for ESP CHILD_SA with SPI 29277f24
04[IKE] CHILD_SA not found, ignored
06[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (364 bytes)
06[ENC] parsed QUICK_MODE request 329144296 [ HASH SA No KE ID ID ]
06[ENC] generating QUICK_MODE response 329144296 [ HASH SA No KE ID ID ]
06[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (380 bytes)
04[NET] received packet: from 159.18.x.x[500] to 66.103.x.x[500] (60 bytes)
04[ENC] parsed QUICK_MODE request 329144296 [ HASH ]
04[IKE] CHILD_SA peer-159.18.x.x-tunnel-vti{1} established with SPIs cad6797e_i 29278066_o and TS 192.168.127.132/32 === 10.21.0.0/21
09[IKE] sending retransmit 1 of request message ID 515868683, seq 4
09[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (380 bytes)
06[IKE] sending retransmit 2 of request message ID 515868683, seq 4
06[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (380 bytes)
04[IKE] sending retransmit 3 of request message ID 515868683, seq 4
04[NET] sending packet: from 66.103.x.x[500] to 159.18.x.x[500] (380 bytes)

 

 

 

 

Firewall stats don't increment (for vpn rules) - I only have firewall rules on eth0...

$ show firewall statistics
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_IN" [WAN to internal]

Active on (eth0,IN)

rule packets bytes action description
---- ------- ----- ------ -----------
10 22418 3432337 ACCEPT Allow established/related
20 0 0 DROP Drop invalid state
60 0 0 ACCEPT IPsec
10000 0 0 DROP DEFAULT ACTION

--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL" [enable ping]

Active on (eth0,LOCAL)

rule packets bytes action description
---- ------- ----- ------ -----------
5 0 0 ACCEPT Ping
10 622 88506 ACCEPT Allow established/related
20 49 2115 DROP Drop invalid state
30 0 0 ACCEPT IKE
40 0 0 ACCEPT ESP
50 0 0 ACCEPT NAT-T
60 0 0 ACCEPT IPsec
10000 307 61538 DROP DEFAULT ACTION

 

 

 

nat stats seem to  only increase when I pinged/trace from router:

$ show nat statistics
rule count type IN OUT description
---- ---------- ---- -------- -------- -----------
5005 45 MASQ - vti0 masquerade for VTI0
5010 619 MASQ - eth0 masquerade for WAN

 

 

 

 

Veteran Member
Posts: 7,221
Registered: ‎03-24-2016
Kudos: 1859
Solutions: 821

Re: IPSec VPN to Fortinet Many to one Source

The udp10001 broadcasts aren't from your ping, they're ubnt discovery protocol.  Don't pay attention to them....or disable device discovery.

 

I'm clueless why ping would translate into udp broadcast.  Capture to file, open with wireshark, and see what's inside the packet.

 

Ping from ER itself should work across the tunnel, make sure remote address is pingable.

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

it's using udp from the traceroute. 

 

other side said ping is enabled. 

 

I'll do the file dump and see if anything else stands out.

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

I captured to wireshark...

 

What I don't understand is that I have the static route for 10.21.0.0/21 to goto vti0: 

 

 static {
     interface-route 10.21.0.0/21 {
         next-hop-interface vti0 {
         }
     }
 }

However, When pinging from PC (or without sudo ping -I vti0) I still only see this on the eth0 capture trying to go from:

 

source x.x.x.74 (my static IP) to destination 10.21.4.238

 

So it's like my static route isn't taking effect...

 

If I ping with sudo ping -I vti0, I see the traffic on the vti0 capture:

 

source 192.168.127.132 to destination 10.21.4.238

 

If I ping with the PC I see the ping on eth1. I also see the ping on eth0 (both going to 10.21.4.238). There's nothing in the vti0 ...

 

Am I missing something to route this to the vti?

 

 

 

 

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

[ Edited ]

I think I know what the issue is - but not sure how to fix it. (research while I hope to get a response).

 

ISP gave me a static IP of x.x.x.74/30

 

ETH0 is set to x.x.x74/30

 

CE and gateway is set to x.x.x.73

 

If I change my site-to-site peer local-address to the x.x.x.73 my routing starts to work as expected (my PC pings go through the vti). However, this breaks the tunnel as the other side has the x.x.x.74 as their peer address.

 

Not sure if getting the other side to update their peer to .73 will work or if I need to change a route and put my tunnel back to .74.. (I can't specify /30 in the local-address.

 

 


IP Route Table for VRF "default"
S *> 0.0.0.0/0 [1/0] via x.x.x.73, eth0
S *> 10.21.0.0/21 [1/0] is directly connected, vti1
C *> x.x.x.72/30 is directly connected, eth0
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.0.0/24 is directly connected, eth1
C *> 192.168.2.0/24 is directly connected, eth1.2
C *> 192.168.127.132/32 is directly connected, vti1

Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

Scratch that. The issue appears to be with the tunnel. (if the tunnel is 'up', but not established complitly I guess, traffic gets routed to eth0. If the tunnel is down then the traffic gets routed to the vti interface. (I changed by peer to 60.1.1.1 and saw the icmp go through the vti0 interface).

 

In wireshark I can see the ISAKMP back and forth. However the ESP traffic is one way (from my wan to theirs - I get no reply).  This also explains why I'm not seeing any hits on my ESP firewall rule.

 

So, I'm wondering what I may be missing in my IPSEC configurations (below is the info provided).

 

 

The only thing I can see is I'm unable to set the ESP  dh-group (set invalid) - could this be the issue? as they specify group 5....

 

Other than that I'm not sure about the other options available vs options not listed here. (ie compression etc)

 

 

IP address:            x.x.x.x                         

Phase 1 IKE Properties:

SHA1 (PFS Enabled)

(Preferred Method)

Key Exchange:

256-bit AES

Data Integrity:

MD5

Renegotiate IKE SA:

 86400 seconds

DH-Group:

Group 5

Phase 2 IPSEC Properties:

 

Data Encryption:

256-bit AES

Data Integrity:

SHA1

DH-Group:

Group 5

Perfect Forward Secrecy:

Enabled

Renegotiate IPSEC SA’s Every:

43200 Seconds

Other Settings:          Pre-shared secrets can only be exchanged in a secure manner.

 

show vpn ipsec
 auto-firewall-nat-exclude disable
 esp-group Telus {
     compression disable
     lifetime 43200
     mode tunnel
     pfs enable
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 ike-group Telus {
     ikev2-reauth no
     key-exchange ikev1
     lifetime 86400
     proposal 1 {
         dh-group 5
         encryption aes256
         hash md5
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 site-to-site {
     peer 159.18.x.x {
         authentication {
             mode pre-shared-secret
             pre-shared-secret **********
         }
         connection-type initiate
         description TelusVPN
         ike-group Telus
         ikev2-reauth inherit
         local-address x.x.x.74
         vti {
             bind vti1
             esp-group Telus
         }
     }
 }
[edit]
Emerging Member
Posts: 54
Registered: ‎06-20-2014
Kudos: 3
Solutions: 4

Re: IPSec VPN to Fortinet Many to one Source

[ Edited ]

I switched to policy based and got this working. For anyone that wants to connect a site-to-site VPN Edgemax to fortigate with Many-to-one Source NAT...

 

Here's the sum of it:

 

Nat: 

set service nat rule 5000 destination address 10.21.0.0/21
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address 192.168.127.132
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.0.0/24
set service nat rule 5000 type source

set service nat rule 5005 description ipsec-exclude
set service nat rule 5005 destination address 10.21.0.0/21
set service nat rule 5005 exclude
set service nat rule 5005 outbound-interface eth0
set service nat rule 5005 protocol all
set service nat rule 5005 source address 192.168.0.0/24
set service nat rule 5005 type masquerade

set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade

vpn

 

set vpn ipsec auto-firewall-nat-exclude disable

set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs dh-group5
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec ike-group FOO0 proposal 1 dh-group 5
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash md5

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec site-to-site peer <peer.wan.address> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <peer.wan.address> authentication pre-shared-secret ******
set vpn ipsec site-to-site peer <peer.wan.address> connection-type initiate
set vpn ipsec site-to-site peer <peer.wan.address> description VPN
set vpn ipsec site-to-site peer <peer.wan.address> ike-group FOO0
set vpn ipsec site-to-site peer <peer.wan.address> ikev2-reauth inherit
set vpn ipsec site-to-site peer <peer.wan.address> local-address <my.wan.address>
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 local prefix 192.168.127.132/32
set vpn ipsec site-to-site peer <peer.wan.address> tunnel 1 remote prefix 10.21.0.0/21

firewall:

 

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description ipsec
set firewall name WAN_IN rule 60 destination address 192.168.0.0/24
set firewall name WAN_IN rule 60 ipsec match-ipsec
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 source address 10.21.0.0/21
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Allow IPSEC IKE'
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description 'Allow IPSEC ESP'
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 192.168.0.0/24
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 source address 10.21.0.0/21
set firewall name WAN_LOCAL rule 75 action accept
set firewall name WAN_LOCAL rule 75 description ICMP
set firewall name WAN_LOCAL rule 75 protocol icmp
set firewall name WAN_LOCAL rule 100 action drop
set firewall name WAN_LOCAL rule 100 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 100 state invalid enable

 

Reply